Mozilla Browser Proxy Server Authentication Credential Disclosure

2003-09-09T00:00:00
ID OSVDB:8387
Type osvdb
Reporter Lluis Mora(llmora@gibnet.gi)
Modified 2003-09-09T00:00:00

Description

Vulnerability Description

Mozilla contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a web server sends a "407 Proxy authentication required" after a browser has already authenticated with another proxy server. By setting the proper realm, the proxy server tricks the browser into resending its authentication credentials from the previous proxy, which will disclose the authentication credentials to the attacking webserver resulting in a loss of confidentiality.

Solution Description

Upgrade to version 1.4.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Mozilla contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a web server sends a "407 Proxy authentication required" after a browser has already authenticated with another proxy server. By setting the proper realm, the proxy server tricks the browser into resending its authentication credentials from the previous proxy, which will disclose the authentication credentials to the attacking webserver resulting in a loss of confidentiality.

References:

Vendor Specific Advisory URL Vendor Specific Advisory URL Bugtraq ID: 9326